Tuesday, March 3, 2015

Announcing our 1st Suits and Spooks All Stars event at Soho House NYC (June 19-20, 2015)

We've held 10 Suits and Spooks events since 2011. 

Who have been some of your favorite speakers?

Beginning July 1, 2015, Soho House, our Suits and Spooks home in NYC, will be closing the Library (our past venue) for renovations and will turn it into a members-only space, which means that we won't be able to hold future events there after June 30th. 

Therefore, in honor of that great venue, we've selected NYC for our first All-Stars Suits and Spooks event. We want to feature some of our most popular speakers and give each of them more time (45 minutes) to talk and interact with our attendees.

Attendance will be limited to 75 people and there will be a commemorative t-shirt designed for the occasion. 

Please contact me with your nominations for speakers, and if your employer is interested in sponsorship, please contact our events manager

Early bird tickets will go on sale in mid-March. Please watch SuitsandSpooks.com for a future announcement.

Friday, February 27, 2015

I'm Looking For A CEO with Enterprise Sales Experience

As part of our latest funding round (pre-Series A), I need to find a CEO to run our new Herndon, VA office and build a sales and marketing team. The ideal candidate has both startup and enterprise experience with U.S. companies, or European companies who have a large number of U.S. customers.

Taia Global, Inc. is a Delaware corporation founded in 2011 and qualifies as an early-stage startup. Our customer base is small but includes two of the largest defense contractors in the world plus another Global 100 company (financial sector) who will be coming onboard in April.

If you agree with us that companies should focus on identifying and securing their crown jewels, and you meet the above basic qualifications, please send me a current CV. If you know of anyone who may be interested in the position, please share this post with them. We are looking to make a decision soon. All candidates will have to go through a thorough vetting process and meet with our board and investors.

Tuesday, January 20, 2015

NSA Docs Show Almost No Access To North Korea Before 2010, And Limited Access Thereafter

“We lack uniform agreement on assessing many things in North Korea” - DNI James Clapper (2013)
According to the same NSA document released yesterday by Der Spiegel and quoted by the New York Times, NSA's access to North Korea "was next to nothing" prior to 2010. That rules out any direct NSA evidence into North Korea being responsible for the 2009 Independence Day attacks against U.S. and South Korean websites.  Yet "un-named officials with knowledge of the case" made the exact opposite claim (U.S. Spies Say They Tracked Sony Hackers For Years); a claim that can only be considered either fantasy or patently false considering the staggering amount of intelligence failures that we've experienced with North Korea over the long term and up to the present.  Here are just a few examples:

2010: North Korea spent 18 months building a new uranium enrichment plant that we never discovered until they announced it in 2010.
2011: Kim Jung-Il's death went undiscovered until NK television announced it over two days later.
2013: Three months after NK's third nuclear test, the U.S. still couldn't assess the state of NK's uranium enrichment. CIA had to reverse its initial assessment of Kim Jung-Un's military ambitions (greater than the CIA thought), and the DIA's assessment of the North's ability to shrink a warhead got publicly disputed by both Clapper and Obama.
2013: The Washington Post reported that the NSA's own Black Budget reveals that their North Korean access is the worst of any country.
More broadly, the lapses also raise a question of why, 63 years after the outbreak of the Korean War — itself a move the United States did not see coming — gathering information about the North has, in the words of one frequent intelligence consumer, “made Syria and Iran look like an open book.” - David Sanger and Choi Sang-Hun (NYTimes, May 2013)

What Do We Know About Attacks Blamed On North Korea

Pretty much everything that we think we know about cyber attacks coming from North Korea originates in South Korea. So the first question is - how accurate is South Korea's intelligence on the North? The answer based upon multiple sources is that its questionable at best and fraudulent at worst.

The Economist featured an article about South Korea's troubled National Intelligence Service (NIS) in March, 2014.
"But the South’s efforts have been complicated by a series of intelligence mishaps. Won Sei-hoon, the former head of the NIS who resigned last March, is himself currently undergoing trial on charges of discrediting key opposition figures as pro-North leftists online and manipulating public opinion in favour of Ms Park in the run-up to the 2012 presidential election that brought her to power. The NIS says that its online posts were routine psychological warfare operations against North Korea. Now the president’s new spy chief, Nam Jae-joon, is under mounting pressure from the opposition and ruling-party politicians alike to step down amid an investigation into his agency's alleged fabrication of evidence in an espionage case. Last week prosecutors carried out a rare raid of the spooks’ headquarters—the second time the offices have been searched in just over a year. On March 15th prosecutors arrested an NIS agent in connection with the forgery."
The Economist article also addressed the benefits provided to North Korean defectors and the problems associated with fraudulent defector claims. All of the information that we think we know about Lab 110 and North Korea's cyber warfare capabilities in general came from North Korean defectors. Unfortunately, there's no way to judge how much of that is even accurate.

The 2009 Independence Day Attacks

The NIS claimed that it had intercepted a document from the North Korean government which ordered Lab 110 to "destroy the South Korean puppet communications networks in an instant". 

What actually happened was that someone launched a weak DDoS attack using ancient malware (MyDoom) that had next to no impact at all. An interesting side point is that the MyDoom malware is believed to be Russian in origin according to Kaspersky Lab. That kind of gross exaggeration suggests that the NIS may be just a tad over-zealous in its assessments of the North.

The 2013 Dark Seoul Attacks

I looked at four reports issued by four different cyber security companies on Dark Seoul. Of the four, McAfee implied that it was the North Korean government. Symantec's report said that the South Korean press blamed North Korea. Kaspersky said it couldn't say, and Sophos gave reasons why it probably wasn't North Korea.

"What's curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated. For this reason, it's hard to jump to the immediate conclusion that this was necessarily evidence of a "cyberwarfare" attack coming from North Korea."

“So, is this an isolated incident or part of a bigger cyberwar campaign? Honestly speaking, we don-t know.”

“While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea.”

"Who conducted these attacks is still unclear, but our research gives some further insight into the likely source. The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source."

The 2014 Sony Attack

Attribution to North Korea for the Sony attack is built on flimsy, fraudulent, or non-existent intelligence. Pick two.

The private sector reports relied upon the Dark Seoul and Independence Day attacks, which conflicted with each other and failed to give direct attribution to North Korea. In the meantime,  no one at the FBI, NSA, ODNI (Office of the Director of National Intelligence), or EOP (Executive Office of the President) can answer the most fundamental questions associated criminal investigations. 
- They don't know who actually attacked Sony. 
- They don't know how they did it. 
- They don't know why they did it. 

By their own admission, the entire U.S. intelligence apparatus is dealing with a black hole when it comes to North Korea. Before 2010, the NSA has primarily relied upon South Korea's NIS whose leadership has been charged with acts of fraud. Even after 2010, when the NSA supposedly had direct access to computers in NK, they missed pretty much everything of importance. 

The RGB has been built up by Western analysts to be a cyber warfare superpower yet nothing about the Sony attack was sophisticated. The RGB most likely didn't use its own people based upon linguistic analysis, but why hire out? Certainly not because they couldn't do it themselves, and obviously not for plausible deniability. Kim's juvenile threats before the film's release made it easy to paint him as the culprit. 

The answer to this riddle must lie somewhere in the political realm. For whatever reason, someone in a leadership position in the Intelligence Community or the EOP saw the Sony attack as an opportunity to score a win against North Korea after a miserable multi-year run of intelligence failures. Unfortunately, the President and the Directors of both the FBI and the NSA have staked their professional reputations on that stupid political act, and I predict that it will backfire in a spectacular way. 

Friday, January 16, 2015

Mercenary Hacker Crews Offering Espionage-as-a-Service Are On The Rise

We published our new report on Espionage-as-a-Service today. Here's a copy of the press release along with a link to the report itself.

MCLEAN, Va.Jan. 16, 2015 /PRNewswire/ -- Although the Sony attack was loud, damaging and hugely embarrassing to the company, the bigger threat is from mercenary hacker crews who steal billions of dollars of valuable technology secrets every year from U.S. companies on behalf of paying clients according to Jeffrey Carr, President and CEO of Taia Global, Inc.
"These mercenary hacker groups range from small groups with little funding to specialty shops run by ex-government spooks to highly financed criminal groups who use similar if not identical tactics to nation state actors," according to Carr, the author of a new report on the subject. "That they are rarely discovered is due in part to their skill level and in part to being mis-identified as a state actor instead of a non-state actor if they are discovered. The low risk of discovery, frequent misattribution to a nation state, and growing demand of their services ensures that the EaaS threat actor will flourish in the coming 12 to 24 months."
The FBI filed a criminal complaint last summer and a federal grand jury subsequently indicted Su Bin, the President of Lode-Tech. Bin was charged with 5 counts of conspiracy on a cyber espionage campaign that was in operation from at least 2010 until 2014. The hacker crew that he hired wasn't named and is presumed to still be active.  Stolen technologies included information about the F-35, F-22, and C-17 aircraft, and according to the criminal complaint, the hackers claimed that they were in a position to breach the network of Brahmos Aerospace, a joint venture between the Indian government and a Russian joint stock company.
"This report reveals details on EaaS operations culled from court documents, published papers, and personal interviews that I've had with Russian and Chinese hackers," said Carr. "It also helps companies understand how to defend against this new type of threat actor."
Mercenary hacker groups are small, skillful, well-paid and have no nation-state affiliation. Instead, they are hackers for hire, whether it's a Chinese millionaire like Su Bin, a Russian oligarch or a western business competitor of the company being targeted.  The aerospace industry is among the hardest hit, but any company who is investing in high value research and development can be a target. Taia Global's report "The TRIES Framework: Counter-Reconnaissance against EaaS Threat Actors" is available for download atTaiaGlobal.com or by calling Mr. Jeffrey Carr at (855-777-8242).

Wednesday, January 14, 2015

A Ukraine Anti-Corruption Policeman's Appeal For Justice

"I don’t really know, if I have any possibility to appeal to Nation again, if I will be alive, I don’t know, but I beg you to take a chance to change the situation in the country." - Lt. Col. Eogor Bodrov, Ukraine Ministry of Internal Affairs
Three days ago I wrote a blog post about a hacker who was trying to get his friend and former colleague, Lt. Col. Iegor Bodrov of the Ministry of Internal Affairs, released from prison after being put there by a corrupt Prosecutor and his deputies. This case has had no coverage in Ukraine itself so I'm asking that you share this message from Lt. Col. Bodrov via your own social networks and hopefully a journalist will pick it up.

Below is an English transcript of Bodrov's message to the people of Ukraine delivered via a video posting on YouTube.


WHERE IS the position of TRUTH in UKRAINE
( At the very beginning -- on the black background )

In the continuation of my story that I have cited before regarding persecution of me and my family from the side of the high rank top officials of the General Prosecutors Office of Ukraine, I would like to declare that one of the scenarios that I had predicted earlier took place. At the moment I am captured under arrest without a warrant after illegal detention and putting me to the cell due to the unjust decision of the judge of Pechersk district court that caused the violation of clauses of the Criminal Procedural Code of Ukraine.

Sunday, January 11, 2015

Hacker Aids Ukrainian Intelligence Colonel Arrested For Fighting Corruption

UPDATE 27JAN2015: Graham Stack of BusinessNewEurope has also written about corrupt practices at the Ukraine Prosecutor's Office. Please read their investigation and share the link.


Ukraine's revolution isn't easy to understand. Some Russians who live there want the old pro-Russian regime back and have aligned themselves with the Putin government. Most Ukrainians want their independence support new leadership that isn't so attached to the Russian government. And then there are Russians with friends and family in Ukraine who are anti-Putin and support the goals of the Euromaidan revolution. However, the one thing that the old regime and the new regime have in common is corruption.

Just how corrupt became clear when Lt. Col. Iegor Bodrov, the Chief of the department for the combating of organized crime at Ukraine's Ministry of Internal Affairs, was arrested after he tried to expose how the Prosecutor General of Ukraine Vitaliy Yarema together with accomplices Deputies Anatoliy Danilenko and Nikolay Gerasimyuk paid bribes and laundered money for their own gain.

Bodrov was arrested on November 25, 2014 under the charge of aiding and abetting terrorists - the "DNR" - Donetskaya Narodnaya Respublika (Donetsk Peoples Republic) and "LNR" Luganskaya Narodnaya Respublika (Luhansk Peoples Republic). His arrest was based solely on the questionable testimony of one man, an SBU (State Security Service) officer.

Ten days prior to his arrest, an RGD-5 fragmentation grenade was planted in the personal car of Bodrov's spouse which put her and their three children at risk (letters describing what happened are above). Despite Bodrov reporting the incident and asking for an investigation, nothing was done.

Although Bodrov remains in prison, the evidence that he has gathered about corruption in high places has been made public by a friend and former contractor - a hacker who goes by the alias "Yama Tough".
Bribe-taking in the amount of USD 5 mln. by the Prosecutor General of Ukraine – Mr. Yarema Vitaliy in accomplice with his Deputies.

The money laundering in the amount of USD 2 mln. by means of procurement of real estate in France (Paris) , Croatia and Ukraine. (Source: http://imgur.com/a/qWrsV)

Money laundering and further offshore transfer of USD 4 mln. of Mr. Yarema son (student) through accommodation of credit in favor of the offshore company (Kup-X LLC) against the security of cash deposit with the Avant Bank. Tax evasion on passive income arising from cash deposit. (Source: http://imgur.com/a/MEMPP)

Additional evidence points to: The cancellation of criminal case by Vitaliy Yarema on request of his son that caused about USD 1 mln. damages. Concealment (cover-up) of fact of extortion by public officers in the amount of USD 20 thousand (the email from son to VY). (Source: http://imgur.com/a/NHBPN) Misappropriation of 140 hectare of land by the Deputy of Vitaliy Yarema – Anatoliy Danilenko for the property of his son with aiding of the Deputy of the Supreme Court of Ukraine. (Source: Evidence archives in .rar format - https://mega.co.nz/#!8pdDyTAI!sXFASGkpabaNQWxnloqzwwJSAHqiJklB3l7OHCSRwUo)

Bodrov remains in prison
As of this writing, Lt. Col. Bodrov remains in prison for merely doing his job - rooting out corruption. His application for release has not been heard and no investigations into his charges have been initiated. 

Wednesday, January 7, 2015

FBI Director Comey's Single Point Of Failure on Sony

FBI Director Comey laid his entire agency's credibility on the line today at an FBI sanctioned cybersecurity event in New York City where he provided new information on the Sony hack:
“In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.”
This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:
“SEOUL - A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years.... The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”
The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector. The FBI, the NSA, and the private security companies upon which they rely for information believe that any attack linked to a North Korean IP address must be one that is government sanctioned since North Korea maintains such tight control over its Internet and Intranet. That is the FBI's single point of failure because while that might have been true prior to 2009, it isn't true any longer.

Access to those blocks is relatively easy if you go in through China, Thailand, Japan, Germany or other countries where North Korea has strategic connections. For example, in 2007 Korea Central News Agency established a server in Japan to bypass blocking efforts by South Korea's Ministry of Unification. North Korea's Uriminzokkiri news website runs on a Chinese server. The Korea Computing Center maintains offices in Beijing and Dalian. The Gwang Myong IT Center, which is a spin-off from Korea Computer Center with offices in China sells network security solutions like anti-virus and data encryption to international clients including financial institutions in Japan.

North Korea has a growing IT and animation sector according to Dutch business consultant Paul Tjia. "NK firms have quietly developed software for banks in the Middle East, applications for cell phone makers in Japan and South Korea and even video games for Nintendo and Playstation".

However the easiest way to compromise a node on North Korea's Internet is to go through its ISP - Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture - Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).

I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a "closed" North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand's most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony's files over the hotel's WiFi. It would be a simple matter to gain access to Loxley's or Loxpac's network via an insider or through a spear phishing attack and then browse through NK's intranet with trusted Loxpac credentials.

Once there, how hard would it be to compromise a server? According to HP's North Korea Security Briefing (August 2014) it would be like stealing candy from a baby. HP scanned the IP blocks involved in the Dark Seoul attacks (175.45.178.xx and 175.45.179.xx) and detected "dated technology that is potentially susceptible to multiple vulnerabilities and consistently showed the same open ports and active devices on scanned hosts." Apparently the North Korean government worries more about controlling Internet access among its population then it does about hardening its Internet-facing systems. Did the FBI's Red Team rule that out? Did they even consider it?

It simply isn't enough for the FBI director to say "We know who hacked Sony. It was the North Koreans" in a protected environment where no questions were permitted (I never allow that at Suits and Spooks events). The necessity of proof always lies with the person who lays the charges. As of today, the U.S. government is in the uniquely embarrassing position of being tricked by a hacker crew into charging another foreign government with a crime it didn't commit. I predict that these hackers, and others, will escalate their attacks until the U.S. figures out what it's doing wrong in incident attribution and fixes it.